Pulse Connect Secure Pulse Policy Secure › documentation › en_US › pulse...The Pulse Secure product that is the subject of this technical documentation consists of (or is intended

© 2014 by Pulse Secure, LLC. All rights reserved 1

Pulse Connect Secure

Pulse Policy Secure

Solutions Deployment Guide for Design and

Configuration

Product Release 8.1/5.1

Document Revision 1.0

Published: 2014-12-15

Solutions Deployment Guide for Design and Configuration

Pulse Secure, LLC 2700 Zanker Road, Suite 200 San Jose, CA 95134 http://www.pulsesecure.net

© 2014 by Pulse Secure, LLC. All rights reserved

Pulse Secure and the Pulse Secure logo are trademarks of Pulse Secure, LLC in the United States. All other trademarks, service marks,

registered trademarks, or registered service marks are the property of their respective owners.

Pulse Secure, LLC assumes no responsibility for any inaccuracies in this document. Pulse Secure, LLC reserves the right to change,

modify, transfer, or otherwise revise this publication without notice.

Pulse Connect Secure / Pulse Policy Secure Solutions Deployment Guide for Design and Configuration

The information in this document is current as of the date on the title page.

END USER LICENSE AGREEMENT

The Pulse Secure product that is the subject of this technical documentation consists of (or is intended for use with) Pulse Secure software.

Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at

http://www.pulsesecure.net/support/eula. By downloading, installing or using such software, you agree to the terms and conditions of that

EULA.

Revision History

2014-12-15 – Initial Version

http://www.pulsesecure.net/

http://www.pulsesecure.net/support/eula



Table of Contents

Introduction ---------------------------------------------------------------------------------------------------------------------------- 5

Audience --------------------------------------------------------------------------------------------------------------------------------- 5

Pulse Connect Secure ---------------------------------------------------------------------------------------------------------------- 5

a) How to configure GSLB (Global Server Load balancing) in Stingray Traffic Manager for disaster

recovery of Pulse Connect Secure Active/Passive clusters at multiple locations ----------------------------- 5

Pulse Policy Secure ----------------------------------------------------------------------------------------------------------------- 16

a) How to configure Pulse Policy Secure to communicate with Trapeze Wireless Controllers: ----- 16 b) How to deploy and configure multiple standalone Pulse Policy Secure devices behind F5 Load

balancer in NAC environment: ------------------------------------------------------------------------------------------- 25



List of Figures Figure 1 Notional Design ------------------------------------------------------------------------------------------------------------ 6 Figure 2 Clustering -------------------------------------------------------------------------------------------------------------------- 7 Figure 3 Cluster Mapping ----------------------------------------------------------------------------------------------------------- 8 Figure 4 GSLB Locations ------------------------------------------------------------------------------------------------------------- 8 Figure 5 GLB Services ---------------------------------------------------------------------------------------------------------------- 9 Figure 6 GLB Services > DNS GSLB ---------------------------------------------------------------------------------------------- 10 Figure 7 GLB Services > DNS GSLB > Connection Settings --------------------------------------------------------------- 11 Figure 8 Pool > DNS-loadbalance ----------------------------------------------------------------------------------------------- 12 Figure 9 virtual servers > dns-gslb --------------------------------------------------------------------------------------------- 13 Figure 10 DNS GSLB ---------------------------------------------------------------------------------------------------------------- 14 Figure 11 Radius Client ------------------------------------------------------------------------------------------------------------ 16 Figure 12 Alpha-WLAs ------------------------------------------------------------------------------------------------------------- 17 Figure 13 Radius Return Attribute --------------------------------------------------------------------------------------------- 17 Figure 14 Endpoints - VLAN ------------------------------------------------------------------------------------------------------ 18 Figure 15 Tasks Panel -------------------------------------------------------------------------------------------------------------- 20 Figure 16 802.1x Service Profile Wizard -------------------------------------------------------------------------------------- 21 Figure 17 Wireless Services - Configuration --------------------------------------------------------------------------------- 21 Figure 18 Wireless Service Profiles -------------------------------------------------------------------------------------------- 22 Figure 19 Service Profile Properties ------------------------------------------------------------------------------------------- 22 Figure 20 Radius Servers ---------------------------------------------------------------------------------------------------------- 23 Figure 21 Network Topology ---------------------------------------------------------------------------------------------------- 26 Figure 22 Load Balancer ----------------------------------------------------------------------------------------------------------- 27



Introduction This document provides design and configuration information for successfully deploying Pulse

Connect Secure/Policy Secure in various scenarios. This document provides detailed summary of

different environmental (configuration, load, topology, and tools) conditions under which the

overall solutions works.

Audience The deployment guide is intended for customers, sales, partners, field, TAC and other users who

install and configure the Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS) solutions.

Pulse Connect Secure a) How to configure GSLB (Global Server Load balancing) in

Stingray Traffic Manager for disaster recovery of Pulse Connect Secure Active/Passive clusters at multiple locations

Use case

A large organization with multiple geographic locations have to provide disaster recovery of

secure remote access to its employees, partners, and contractors.

What is the proposed solution in case of a disaster/network disruption?

The active/passive (A/P) cluster solution ensures that users will be able to access resources even

if one of the devices fails. But, in case of a disaster or network disruption where both the nodes

of active/ passive cluster fails at one location, users will not be able to access the resources. To

overcome the downtime, the proposed solution deployment will help the users to access the

resources by connecting to the devices deployed in other location.

Disaster recovery is achieved through DNS-based Global Server Load Balancing (GSLB) where the

requests to Pulse Connect Secure will be routed through Load balancer. The load balancer

determines an action depending on the client network and also checks if the backend

datacenter is up or down. If one of the sites is down, it automatically sends the request to the

other site.



Notional Design

The figure shows the design that was proposed for the deployment. Two Pulse Connect Secure

devices were deployed at two geographical locations and are connected to a DNS-based Global

Server Load balancer configured in Stingray Traffic Manager.

Sample scenario:

1. Two Pulse Connect Secure SM-160s in A/P cluster at each location.

2. Stingray Traffic Manager load balancer for DNS based GSLB.

3. DNS server for the end point client network.

4. Datacenters in the protected network.

Figure 1 Notional Design

What are the configurations required to deploy this solution?

There are four components to be configured to ensure this solution works:

1. Pulse Connect Secure configuration

2. DNS server (end point side) configuration



3. Load balancer configuration

4. End client DNS server configuration

1. Pulse Connect Secure Configuration

In the Pulse Connect Secure A/P Cluster, navigate to Clustering -> Properties and configure the

External VIP for A/P clusters (For example: 192.168.10.201 – for cluster 1 and 192.168.10.8 – for

cluster 2)

Figure 2 Clustering

2. DNS Server on the End client network configuration

In the DNS server (For example: 192.168.11.4 is the DNS IP), map the hostname with Pulse

Connect Secure VIPs. In this case, you can see three entries in the forward lookup zone for the

same host name.

Pulse-sol-sa – 192.168.10.201 (mapped with A/P cluster 1 VIP)

Pulse-sol-sa – 192.168.10.9 (mapped with A/P cluster 2 VIP)



FIGURE 3 CLUSTER MAPPING

Now, this DNS server will be used for GSLB DNS based load balancing in the Stingray Traffic

Manager server.

3. Load balancer Configuration

Login to Stingray Traffic Manager. Ensure you have the GSLB license.

3.1 GSLB locations:

Browse to Catalogs -> Locations and create the locations by selecting the country names – US,

UK and so on (in this case, lab1 and lab2 locations were created).

Figure 4 GSLB Locations

Once you create the locations, browse to GLB services tab and define similar rules and settings

for the locations.



3.2 GLB Services:

1. Click GLB Services and enter a service name (For example: DNS GSLB), domain names

(For example: Pulse-sol-sa.trinity.pbu.local) and add the locations.

Figure 5 GLB Services

2. Click Service.



Figure 6 GLB Services > DNS GSLB

3. In the Basic Settings, choose Yes to enable the option.

4. Navigate to Locations and Monitoring and check if the GSLB Locations are added.

5. Click Load Balancing.

6. Select the Geographic option and then click Save.

7. Click Rules and add a rule.

NOTE: This is the most important step to provide a script to ensure that users can reach

the other node in case of a failure.

In the below script PBU Lab1 and PBU lab2 are the location names.

NOTE: The below script works only with Stingray Traffic Manager.



if( string.ipmaskmatch( request.getremoteip(), "10.1.0.0/16" ) ){

$status = glb.service.isLocationLive("PBU Lab1");

if ($status == 0)

{

glb.service.useLocation( 'PBU Lab2' );

}

else

{


}

}

else if ( string.ipmaskmatch( request.getremoteip(), "10.2.0.0/16" ) ){

$status = glb.service.isLocationLive("PBU Lab2");

if ($status == 0)

{


}

else

{


}

}

8. Click Connection settings and specify the custom TTL as 60 seconds. This assists the user

to reach the other node in case of failure in 60 seconds.

Figure 7 GLB Services > DNS GSLB > Connection Settings



9. Navigate to Services -> Pools section.

3.3 Pools Configuration:

Create a new pool by providing the name. For example, DNS LB, Node: DNS server 192.168.11.4

– actual DNS server of the end client network and monitor as “DNS”. Click the Create Pool

button. The following page appears.

Figure 8 Pool > DNS-loadbalance

In this page, configure the following options:

Load balancing – roundrobin

Health Monitoring – DNS

Connection Management – Transparency is disabled

3.4 Virtual Server Configuration:

Navigate to Services -> Virtual Servers page.

Create a virtual server by providing the server name (For example: dns-gslb), protocol as DNS,

and port as 53. Then select the traffic pool that you just created and click Create Virtual Server

button. The following page appears.



Figure 9 virtual servers > dns-gslb

In this page, you need to configure the following options for the virtual server:

1. Click GLB Services and assign the service you just created (For example: DNS GSLB) and

save it.

2. Enable Request Logging option or retain the default settings.

3. Enable Connection Management.



Figure 10 DNS GSLB

Stingray Traffic manager load balancer configuration is now complete. Ensure that the DNS

server (192.168.11.4 in this case) is reachable by load balancer (For example: 192.168.11.5).

4. End Client Configuration

Go to the actual end client from where you connect to Connect Secure URL (Pulse-sol-

sa.trinity.pbu.local). Change the DNS server settings to load balancer IP (192.168.11.5). This

ensures that once you connect to the Connect Secure, it will reach the load balancer.

Subsequently, the load balancer determines the action based on the location that the request

originated.

5. Test cases to verify the deployed solution

In order to sync the configuration between Connect Secure clusters at different locations, A/P

cluster at one location will be configured to propagate the configuration from one location to

the other location on a regular basis.

Test Case 1: Take an end client in location 1 (For example: US)

Ping Pulse-sol-sa.trinity.pbu.local and it will resolve to 192.168.10.201 (A/P cluster 1 – VIP) and

it must be successful.



Now go to Connect Secure A/P cluster 1 and change the VIP to a random IP address (For

example: 1.1.1.1). Now open the end client PC and try to ping the same URL: Pulse-sol-

sa.trinity.pbu.local. After 60 seconds (since load balancer TTL time is configured to 60 seconds),

it will start resolving to the second IP address – 192.168.10.9 (A/P cluster 2 - VIP).

Test case 2: Take an end client in location 2 (For example: UK)

Ping Pulse-sol-sa.trinity.pbu.local and it will resolve to 192.168.10.9 (A/P cluster 2 – VIP) and it

must be successful.

Now go to Connect Secure A/P cluster 2 and change the VIP to a random IP address (For

example: 1.1.1.1). Now open the end client PC and try to ping same URL: Pulse-sol-

sa.trinity.pbu.local. After 60 seconds (since load balancer TTL time is configured), it will start

resolving to the second IP address – 192.168.10.201 (A/P cluster 1 - VIP).

By executing the above test cases, users can reach the other location in case of a failure.

CONCLUSION:

The proposed disaster recovery solution achieves its goal to overcome the downtime with the

help of DNS-based GSLB. The load balancer takes a decision depending on the client network

and also checks if the backend datacenter is up or down. If one of the sites is down, it

automatically sends the request to the other site.

WAN clustering is not supported in Connect Secure. Hence it is required to propagate the

configuration from one location to other location on a timely basis to ensure that configuration

is in sync at both the locations.

User sessions will not be synced from one location to another. In case of failures, users need to

connect again.



Pulse Policy Secure

a) How to configure Pulse Policy Secure to communicate with Trapeze Wireless Controllers:

This section describes deploying standalone Pulse Policy Secure (PPS) to communicate with

Trapeze Wireless Controllers.

What is the configuration required on Pulse Policy Secure?

In the Policy Secure framework, the sign-in page, realm, and AAA server configurations are

associated. They determine user and user role. A user submits credentials through a sign-in page

that specifies a realm, which is associated with an AAA server. If the access request meets the

realm’s authentication policy, the system forwards the user’s credentials to the associated

authentication server. The authentication server’s job is to verify the user’s identity. After

verifying the user, the authentication server sends approval. If the realm also uses the server as

a directory/attribute server, the AAA server sends the user’s group information or other user

attribute information. The access management framework then evaluates the realm’s role-

mapping rules to determine the user roles that apply to the session.

PPS acts as a RADIUS server that allows to centralize the authentication and accounting for the

users. WLC is added as RADIUS clients.

The below screenshot displays the WLCs that are added as Radius client in PPS.

Figure 11 Radius Client

To configure Radius client, the administrator must login to PPS, navigate to Network Access ->

Radius Client and create a new radius client by providing the IP address of the WLC shared

secret password.

NOTE: The administrator should select Trapeze Networks option for the Make/Model field.



Figure 12 Alpha-WLAs

The administrator must configure the Radius return attribute that returns the attributes to the

Radius clients (WLC) after authentication. This can be a VLAN-ID or any other filter type. For

example, firewall filters applied to access switches.

To configure the return attributes on PPS, the administrator must navigate to Network Access ->

Radius Return attribute page in the PPS Administrator User Interface.

Figure 13 Radius Return Attribute



Figure 14 Endpoints - VLAN

How to configure the Trapeze Wireless Controller:

You can configure Trapeze WLC by any of the following methods:

1. RingMaster client GUI

2. WLC Command Line Interface

RingMaster software presents a graphical user Interface (GUI) to its users that consists of a

series of screens, windows, and dialog boxes. Before using RingMaster Client to perform any

configuration, RingMaster services must be started on its host. It depends on the platform

where it is installed.

For Windows systems, RingMaster services are started automatically post complete software

installation and whenever the host system is restarted.

For Linux systems, administrator can start and stop the RingMaster services manually from

command line interface using shell script installed during RingMaster service installation.

For Macintosh OS systems, RingMaster services must be launched manually.

RingMaster can be installed on hardware appliances also.

Once the RingMaster services start running on the host server, RingMaster client can be used to

perform WLAN planning configuration.



a. To start the RingMaster client:

For Windows systems, use the related desktop icon created by the installer, or select

Start -> Programs -> Juniper Networks -> RingMaster -> RingMaster

For Linux systems, change directories to: RingMaster_installation_directory/bin and

enter ./ringmaster

For Macintosh systems, select Finder -> Applications -> RingMaster, or click the

RingMaster icon in the dock. The RingMaster Services Connection dialog displays.

b. Enter the IP address or fully-qualified hostname of the server on which RingMaster

services are installed. If RingMaster services is installed on the same machine as the one

running RingMaster Client, enter 127.1.0.1 as the IP address. This is a standard IP

loopback address.

c. Specify a service port, if different from the port number in the Service Port listbox.

d. Click Next to connect to the server.

e. If Certificate Check dialog is displayed, click Accept.

How to configure Wireless SSID via RingMaster client GUI interface:

When you click on a task in the Tasks panel that is present in the right side of the screen,

RingMaster opens a dialog box or a configuration wizard (a series of dialog boxes).



Figure 15 Tasks Panel

For example, after selecting the Configuration button on the main window toolbar, click Create

WLAN Controller to open a dialog box that allows configuring basic WLAN Controller

parameters.

The following example shows the series of dialogs in the 802.1x Service Profile wizard.



Figure 16 802.1x Service Profile Wizard

Appropriate values must be provided in the series of dialog boxes to produce a Wireless service

Profile as shown in the figure below.

Figure 17 Wireless Services - Configuration

To open a dialog box containing the configurable settings for an object, select an object in the

table, and then click Properties. An example shown below displays the Wireless Service Profiles:



Figure 18 Wireless Service Profiles

The following figure shows the properties of a wireless profile when one of them is selected

Figure 19 Service Profile Properties

How to configure Radius server in WLC via Ringmaster client (GUI):

To configure RADIUS Servers:

1. Select Services -> Setup from the RingMaster menu bar. RingMaster Services is displayed.

2. Select the Access Control tab.

3. Select Radius Servers



Figure 20 Radius Servers

4. Select Enable RADIUS Authentication or unselect to disable it.

5. Select a Default User Group.

6. Provide information for Primary RADIUS Server and Secondary RADIUS Server as required.

How to configure Wireless SSID via CLI

a) Service profile creation: To create a service profile and assign it to SSID, use the

command:

set service-profile <profile-name> ssid-name <ssid-name>

An SSID can be 32 alphanumeric characters long.

b) Disabling or re-enabling encryption for an SSID: To specify whether the Wireless SSID is

encrypted or unencrypted, use the command:

set service-profile <profile-name> ssid-type [clear | crypto]

The default value is crypto.



c) Disabling or re-enabling Beaconing of a SSID: To disable or re-enable beaconing of a

SSID, use the command:

set service-profile <profile-name> beacon {enable | disable}

By default SSIDs are beaconed. When the beaconing for a SSID is disabled, the radio still

sends beacon frames but the SSIF name in the frames are blank.

d) Changing the Fallthru authentication type: By default access is denied to users who do

not match an 802.1x or MAC authentication rule. Therefore such users fall through

these authentication types. To change the fall through method, use the command:

set service-profile <profile-name> auth-fallthru {last-resort | none | web-portal}

If web-portal is selected, the web-portal-form and web-portal-acl must be configured.

e) Changing the Short Retry Threshold: The short retry threshold specifies the number of

times a radio can send a short unicast frame for an SSID without receiving an

acknowledgment for the frame. A short unicast frame is a frame that is shorter than the

RTS threshold. To change the short retry threshold, use the command:

set service-profile <profile-name> short-retry threshold

The threshold can be a value from 1 through 15. The default is 5.

f) Configuring 802.1x on the Wireless SSID:

set authentication dot1x ssid <ssid-profile-name> pass-through <PPS-radius-group>

set accounting dot1x ssid <ssid-profile-name> start-stop <PPS-radius-group>

How to configure Radius server in WLC via CLI:

1. Configure the PPS server as a RADIUS server on WLC:

set radius server <PPS_name> address <PPS_IP_address> auth-port <auth_port>

deadtime 0 key <secret_key>

The default port for RADIUS authentication is 1812.

2. Configure a server group and add the configured PPS server as a member:

set server group <PPS_group_name> members <PPS_name>

3. Configure radius server retransmission timeouts and dead interval timeouts:

set radius server PPS-Radius address <PPS-IP> timeout 5 retransmit 3 deadtime 5

encrypted-key <KEY>

WLC can be configured to distribute authentication requests across multiple RADIUS

servers in a server group. It reduces the load on single PPS server and increases

resiliency on the system. When load-balancing is configured, radius requests of the first

client are directed to first PPS server in the group, radius requests of the second client

are directed to the second PPS server in the group, and so on.



b) How to deploy and configure multiple standalone Pulse Policy Secure devices behind F5 Load balancer in NAC environment:

What are the current limitations that can be solved using this deployment?

When Pulse Secure client initiates an 802.1x authentication via a switch, it send radius access

requests to the Load balancer VIP listening on radius port (1812/1645). The radius request,

having originated from switch IP, is load balanced to one standalone PPS that returns the VIP

address back to Pulse Secure Client (supplicant). Pulse Secure client then makes a control

channel connection to the Load balancer VIP listening on port 443 using source as client

machine IP address. This SSL request might get load balanced to another standalone PPS

thereby failing to establish an SSL connection as there is no user session prevalent in second

PPS.

Without Pulse Secure client being unable to establish control channel connection with PPS,

Layer 3 enforcement functionalities (example resource access behind Firewall joined as PPS

Enforcer) will not work.

How to address the current limitation on standalone PPS?

Instead of trying to load-balance both L2 and L3 sessions, only the Layer 2 connection request is

load balanced. Each standalone node should return a unique VIP which is then used for the

Layer 3 control channel establishment.

Network Topology:

The network topology given below will clearly explain the solution where Windows 7 (64)

laptop/desktop is connected to an EX switch dot1x enabled port. The F5 Load balancer is

configured in 2-arm mode where one interface connects to the EX switch and another interface

connects to internal interface of PPS. Both the PPS devices run on MAG SM-360 hardware

platform.



Figure 21 Network Topology

What is the standard PPS configuration required to deploy this solution?

a) Configure 2 roles in the PPS devices - for full-access provision and for remediation.

b) Configure 2 role mapping rules under one realm. Each role mapping rule is mapped to a

unique AD group that contains 100 users. These 100 users are mapped to two roles, one

with full-access and the other one either wired or wireless.

c) Configure Hostcheck – “Windows Firewall and Any Permitted AntiVirus” are configured for

granting Full-Access.

d) Evaluate Hostcheck in Realm level and enforce in Role level. If the user fails to comply with

HC policy, user will be mapped to Remediation role. Full-Access role will be removed.

e) For the PPS to support two-armed load balancing mode, configure unique VIP address under

load balancer setting in the System -> Network -> Load Balancer section of the IC Admin UI.

Ensure you enable the checkbox Between endpoints and Junos Pulse Secure.



Figure 22 Load Balancer

F5 Load Balancer Configuration:

In order to support standalone PPS devices behind F5 load balancer, the load balancer needs to

be configured appropriately. Here are the steps for configuring BIGip-F5 3400 model (9.3.1 Build

37.1)

a. Configure single VIP to process all SSL requests (port 443) to two PPS nodes. This will be

required when a user attempts to access Load balancer hostname via browser to

download Pulse Secure client.

b. Configure another VIP to process all Radius request (both authentication and accounting

at port 1812, 1813 respectively) to two PPS standalone nodes. This is required for the

radius client (switch) to send radius requests to Load balancer VIP.

c. Now, we have load balanced the L2 connection and then have each controller return a

unique VIP which is then used for the L3 connection. So, configure 2 unique VIP with

each VIP pointing to each PPS’s internal interface.

d. For TCP connections, configure persistence connections based upon the source IP

address on the requests. This ensures that the NCP connection from the user's machine

will be sent to the same controller as long as they retain their IP address.

Hence four VIPs are configured in F5 load balancer- the first two VIP maps to 2 nodes

and the next two VIPS maps to unique 2 standalone nodes.

Following is the sample Big IP configuration:

route default inet {

gateway <NEXT-HOP>



}

Unique Pool configured for SSL for each PPS

pool Pool1-ssl {

member <IP1-INT>:https

}

pool Pool2-ssl {


}

2 Pools configured for Radius Authentication request for all PPS

pool Pool-Radius-Auth {

member <IP1-INT>:radius

member <IP2-INT>:radius

}

2 Pools configured for Radius Accounting request for all PPS

pool Pool-Radius-Acct {

member <IP1-INT>:radius-acct

member <IP2-INT>:radius-acct

}

2 Pool configured for SSL for all PPS

pool pool-ssl-all {



}

2 VIPs configured for SSL requests for each ICs

virtual VIP-PPS1-port443 {

destination <IP1-EXT>:https

ip protocol tcp

persist source_addr



pool Pool1-ssl

}

virtual VIP-PPS2-port443 {

destination <IP2-EXT>:https

ip protocol tcp

persist source_addr

pool Pool2-ssl

}

virtual VIP-ssl-all {

destination <IP-EXT>:https

ip protocol tcp

persist source_addr

pool Pool-ssl-all

}

Configuring VIP for Radius requests for all PPS

virtual VIP-Radius-Auth {

destination <IP-EXT>:radius

ip protocol udp

pool Pool-radius-auth

}

Configuring VIP for Radius Accounting requests for all PPS

virtual VIP-Radius-Acct {

destination <IP-EXT>:radius-acct

ip protocol udp

pool Pool-Radius-Acct

}



Switch Configuration

Given below is the dot1x related configuration for the two ports when the EX-4200 switch is

used as a Radius client in the solution. These two ports are connected to two Windows 7 clients.

NOTE: Re-authentication is disabled.

Since all the PPS nodes are standalone, session information will not be shared across all nodes

when Pulse re-authenticates after a specific time. Thus user session will not resume seamlessly.

Hence it is recommended to disable re-authentications.

set interfaces <INTERFACE-ID> unit 0 family ethernet-switching port-mode access

set interfaces <INTERFACE-ID> unit 0 family ethernet-switching vlan members sol-guest-vlan

set protocols dot1x authenticator interface <INTERFACE-ID> supplicant single

set protocols dot1x authenticator interface <INTERFACE-ID> quiet-period 15

set protocols dot1x authenticator interface <INTERFACE-ID> no-reauthentication

set protocols dot1x authenticator interface <INTERFACE-ID> supplicant-timeout 60

set protocols dot1x authenticator interface <INTERFACE-ID> guest-vlan sol-guest-vlan

Conclusion:

There is no limit on the number of sessions a single PPS can handle which can be derived

from maximum platform limit capacity.

Pulse Secure client might take 5-20 seconds to completely establish Layer 2 and Layer 3

connections.

Documents

Pulse Connect Secure Pulse Policy Secure › documentation › en_US › pulse...The Pulse Secure product that is the subject of this technical documentation consists of (or is intended